I'm having a lot of trouble getting a cross domain POST request to hit an Api controller in the latest beta 2 release. Chrome (and other browsers) spit out: <pre class="prettyprint"><code>OPTIONS http://api.hybridwebapp.com/api/values 400 (Bad Request) POST http://api.hybridwebapp.com/api/values 404 (Not Found) </code></pre> It may be related to this issue but I have applied that workaround and several other fixes such as web.config additions here I've been banging my head with this for a while so I created a solution to reproduce the problem exactly. Load the web app there will be 2 buttons one for GET one for POST and the response will appear next to the button. GET works. Cannot get POST to return successfully. <img src="https://i.stack.imgur.com/VBsBf.png" alt="enter image description here"> I'm able to get a hint at the cause from Fiddler but it makes no sense because if you look at the response it DOES include the domain in the Access-Controll-Allow-Origin header: <img src="https://i.stack.imgur.com/nCMwC.png" alt="enter image description here"> There is a folder in the solution called "ConfigurationScreenshots" with a few screenshots of the IIS configuration (website bindings) and Project properties configurations to make it as easy as possible to help me :) EDIT: Don't forget to add this entry to host file (%SystemRoot%\system32\drivers\etc): <pre class="prettyprint"><code> 127.0.0.1 hybridwebapp.com api.hybridwebapp.com </code></pre> **STATUS: ** It seems that some browsers like Chrome allow me to proceed with the POST regardless of the error message in the OPTIONS response (while others like Firefox don't). But I don't consider that solved. Look at the Fidler screenshots of the OPTIONS request it has Access-Control-Allow-Origin: http://hybridwebapp.com And yet the error: The origin http://hybridwebapp.com is not allowed That is completely contradictory it's as if it's ignoring the header.

Ok I got past this. This has got to be the strangest issue I've ever encountered. Here's how to "solve" it: <ol> <li>Continue on with life as usual until suddenly out of no where OPTIONS requests to this domain begin returning 200 OK (instead of 400 Bad Request) and POST never happens (or at least seems like it doesn't because the browser swallows it) </li> <li>Realize that Fiddler's OPTIONS response mysteriously contains duplicates for "Access-Control-Allow-XXX". </li> <li>Try removing the following statement from you web.config even though you clearly remember trying that to fix the previous issue and it not working:</li> </ol> Remove this: <pre class="prettyprint"><code> <httpProtocol> <customHeaders> <remove name="X-Powered-By" /> <add name="Access-Control-Allow-Origin" value="http://mydomain.com" /> <add name="Access-Control-Allow-Headers" value="Accept, Content-Type, Origin" /> <add name="Access-Control-Allow-Methods" value="GET, PUT, POST, DELETE, OPTIONS" /> </customHeaders> </httpProtocol> </code></pre> Because you already have this: <pre class="prettyprint"><code> var enableCorsAttribute = new EnableCorsAttribute("http://mydomain.com", "Origin, Content-Type, Accept", "GET, PUT, POST, DELETE, OPTIONS"); config.EnableCors(enableCorsAttribute); </code></pre> Moral: You only need one.

CORS POST Requests not working - OPTIONS (Bad Request)

I'm having a lot of trouble getting a cross domain POST request to hit an Api controller in the latest beta 2 release.

Chrome (and other browsers) spit out:

OPTIONS http://api.hybridwebapp.com/api/values 400 (Bad Request) POST http://api.hybridwebapp.com/api/values 404 (Not Found)

It may be related to this issue but I have applied that workaround and several other fixes such as web.config additions here

I've been banging my head with this for a while so I created a solution to reproduce the problem exactly.

Load the web app there will be 2 buttons one for GET one for POST and the response will appear next to the button. GET works. Cannot get POST to return successfully.

enter image description here

I'm able to get a hint at the cause from Fiddler but it makes no sense because if you look at the response it DOES include the domain in the Access-Controll-Allow-Origin header:

enter image description here

There is a folder in the solution called "ConfigurationScreenshots" with a few screenshots of the IIS configuration (website bindings) and Project properties configurations to make it as easy as possible to help me :)

EDIT: Don't forget to add this entry to host file (%SystemRoot%\system32\drivers\etc):

 127.0.0.1     hybridwebapp.com  api.hybridwebapp.com

**STATUS: ** It seems that some browsers like Chrome allow me to proceed with the POST regardless of the error message in the OPTIONS response (while others like Firefox don't). But I don't consider that solved.

Look at the Fidler screenshots of the OPTIONS request it has

Access-Control-Allow-Origin: http://hybridwebapp.com

And yet the error:

The origin http://hybridwebapp.com is not allowed

That is completely contradictory it's as if it's ignoring the header.

How do you fix CORS origin error?

Cross-Origin Resource Sharing (CORS) errors occur when a server doesn't return the HTTP headers required by the CORS standard. To resolve a CORS error from an API Gateway REST API or HTTP API, you must reconfigure the API to meet the CORS standard.

How do I fix not allowed by Access-Control allow origin?

In that case you can change the security policy in your Google Chrome browser to allow Access-Control-Allow-Origin. This is very simple: Create a Chrome browser shortcut. Right click short cut icon -> Properties -> Shortcut -> Target.

How do I fix CORS header Access-Control allow Origin missing?

If the server is under your control, add the origin of the requesting site to the set of domains permitted access by adding it to the Access-Control-Allow-Origin header's value. You can also configure a site to allow any site to access it by using the * wildcard. You should only use this for public APIs.

Ok I got past this. This has got to be the strangest issue I've ever encountered. Here's how to "solve" it:

Continue on with life as usual until suddenly out of no where OPTIONS requests to this domain begin returning 200 OK (instead of 400 Bad Request) and POST never happens (or at least seems like it doesn't because the browser swallows it)
Realize that Fiddler's OPTIONS response mysteriously contains duplicates for "Access-Control-Allow-XXX".
Try removing the following statement from you web.config even though you clearly remember trying that to fix the previous issue and it not working:

Remove this:

    <httpProtocol>        <customHeaders>          <remove name="X-Powered-By" />          <add name="Access-Control-Allow-Origin" value="http://mydomain.com" />          <add name="Access-Control-Allow-Headers" value="Accept, Content-Type, Origin" />          <add name="Access-Control-Allow-Methods" value="GET, PUT, POST, DELETE, OPTIONS" />        </customHeaders>     </httpProtocol>

Because you already have this:

 var enableCorsAttribute = new EnableCorsAttribute("http://mydomain.com",                                                    "Origin, Content-Type, Accept",                                                    "GET, PUT, POST, DELETE, OPTIONS");         config.EnableCors(enableCorsAttribute);

Moral: You only need one.

CORS POST Requests not working - OPTIONS (Bad Request) - The origin is not allowed

Tags:

cors

asp.net

asp.net-web-api

parliament

People also ask

Video Answer

1 Answers

parliament

Recent Activity

Donate For Us

CORS POST Requests not working - OPTIONS (Bad Request) - The origin is not allowed

Tags:

cors

asp.net

asp.net-web-api

parliament

People also ask

Video Answer

1 Answers

parliament

Related questions

Recent Activity

Donate For Us